Enabling end-to-end digital carbon emission tracing with shielded NFTs

In the energy transition, there is an urgent need for decreasing overall carbon emissions. Against this background, the purposeful and verifiable tracing of emissions in the energy system is a crucial key element for promoting the deep decarbonization towards a net zero emission economy with a market-based approach. Such an effective tracing system requires end-to-end information flows that link carbon sources and sinks while keeping end consumers’ and businesses’ sensitive data confidential. In this paper, we illustrate how non-fungible tokens with fractional ownership can help to enable such a system, and how zero-knowledge proofs can address the related privacy issues associated with the fine-granular recording of stakeholders’ emission data. Thus, we contribute to designing a carbon emission tracing system that satisfies verifiability, distinguishability, fractional ownership, and privacy requirements. We implement a proof-of-concept for our approach and discuss its advantages compared to alternative centralized or decentralized architectures that have been proposed in the past. Based on a technical, data privacy, and economic analysis, we conclude that our approach is a more suitable technical backbone for end-to-end digital carbon emission tracing than previously suggested solutions.

be empowered and incentivized to act in a CO 2 -adaptive manner . Consequently, there is a need for verifiable, fine-granular carbon accounting that allows these stakeholders to access corresponding information on CO 2 emissions of their own processes, as well as goods and services that they purchase and to comprehensively disclose it to stakeholders and legislators (Financial Times 2021, Sullivan and Gouldson 2012;Heffron 2021;Strüker et al. 2021).
However, to date such fine-granular and verifiable data is typically not available . For instance, companies that participate in the European Union Emissions Trading System (EU-ETS) are only required to compile and submit their corresponding CO 2 reporting once a year (European Commission 2021). Disclosure also only happens ex-post. This means that the temporal granularity of the data on CO 2 emissions is too low to incentivize adaptive behavior. Moreover, the European Guarantees of Origin (GOs) and EU-ETS certificates represent large quantities of Megawatt hours (MWHs) of electricity and tons of CO 2 (Watanabe and Robinson 2005, Association of Issuing Bodies 2021), thus, lacking the resolution to include smaller stakeholders in CO 2 -adaptive decisions.
Additionally, the current reporting process involves the manual collection and inspection of data and offers no support for automatic verification, scaling the granularity of the current approach is arguably not practical. Consequently, neither the CO 2 -adaptive control of business processes or consumption decisions is possible with the current approach, nor can stakeholders provide evidence for their own or their products' carbon footprints. Our research starts exactly at this point and aims to provide a concept that enables an end-to-end tracing system where CO 2 emission data is verifiable by end consumers, leveraging innovative emerging digital technologies in order to make the energy transition a success. For emission trading and related areas like electricity labeling, several studies have highlighted the suitability of digital platforms to record related information. Researchers have specifically proposed blockchain-based solutions, with their ability to provide cryptographic verifiability and to unite different stakeholders on a single neutral data sharing platform Al Sadawi et al. 2021;Albrecht et al. 2018;Knirsch et al. 2020;Castellanos et al. 2017;Richard et al. 2019;Djamali et al. 2021). However, such proposals generally face significant privacy and trust challenges: In a centralized system, the platform owner would not only need to be trusted regarding data availability and integrity. It also would have significant market power through its control of the platform and access to sensitive personal and business relevant data in terms of energy procurement and emissions labeling . For blockchain-based approaches, the trust issues disappear, but the replicated data storage and processing as well as the impracticality of deleting data from the ledger aggravates issues with sensitive information and conflicts with regulation such as the General Data Protection Regulation (GDPR) (Al Sadawi et al. 2021;Zhang et al. 2019;Munilla Garrido et al. 2021;Sedlmeir et al. 2022).
Several architectures proposed by related work, such as Al Sadawi et al. (2021), represent carbon emissions as tokens on a blockchain. The corresponding architectures are different, for instance, regarding the choice of a public or private blockchain and their consensus mechanism, which can have significant impact on their scalability, energy consumption, and the extent to which sensitive information is problematic (Beck et al. 2018;Cachin and Vukolić 2022;Sedlmeir et al. 2020). Specifically, there is often general criticism that blockchain technology is energy intensive by design; yet, this only holds true for public blockchains that use Proof of Work (PoW) as consensus mechanism. In contrast, energy consumption is not an issue for public blockchains with other consensus mechanisms, such as Proof of Stake (PoS), or permissioned blockchains with voting-based consensus (Sedlmeir et al. 2020;Rieger et al. 2022;Gola and Sedlmeir 2022). Another dimension for comparing such proposals is whether the carbon emission tokens are non-distinguishable (fungible) or distinguishable (non-fungible). Most of the related work focuses on non-fungibility since it enables the traceability and verifiability of CO 2 tokens according to their origin, but the uniqueness of the tokens and transactions increases the ability to attribute stakeholders to their pseudonymous wallet addresses on a public blockchain ledger and is, hence, problematic both from the perspective of organizations and individuals Biryukov et al. 2014;Schellinger et al. 2022). On the other hand, privacy-oriented, blockchain-based solutions, such as Sasson et al. (2014), or solutions that adapt similar approaches in energyrelated use cases (Baza et al. 2021), require that tokens are indistinguishable (fungible) to make transactions unlinkable (Pfitzmann and Hansen 2010), compromising the ability to trace and differentiate different emission sources or to hold stakeholders accountable for malicious behaviour.
Thus, we observe an apparent tradeoff between the verifiability and traceability of tokenized CO 2 credits on the one side and the protection of sensitive information on the other side. We aim to align these requirements by using a fundamentally new approach: This paper proposes a solution that combines shielded, fractional Non-Fungible Tokens (NFTs) with off-chain, bilateral data exchange to provide verifiable CO 2 emission information along electricity supply chains-with high temporal and quantitative resolution to enable CO 2 -adaptive decision making, while keeping sensitive information confidential. Our approach is blockchain-agnostic: as we keep sensitive information off the ledger, we do not need to consider the above-mentioned aggravated confidentiality issues in public blockchains anymore. Depending on the required guarantees in terms of integrity and availability, and stakeholders' reservations in terms of market power of a platform owner, the system can then be built on top of a centralized or decentralized ledger.
Our paper is structured as follows: In the "Background and related work" section, we give a detailed overview of related research and previous work on documenting carbon emissions. Next, we shed light on our technical architecture in the "Implementation" section and describe how we use our approach in the exemplary "Application for the case of charging electric vehicles" section. We then evaluate the practicality and solution fitness of our approach in the Contribution and Discussion section where we also discuss the wide-ranging contribution of our approach. Finally, we summarize our findings in the "Conclusion".

Background and related work
Research stream on energy informatics and CO 2 emission tracing applications is widespread, ranging, among others, from topics concerning energy efficiency (Watson et al. 2010), energy flexibility, e.g., provided by electric vehicles (Holly et al. 2020) or its exploitation via artificial intelligence Hanny et al. 2022), over data centers that are enabled to act in the sense of the energy transition (Klingert 2018;Fridgen et al. 2021), to the potential of IS for future energy data spaces to improve collaboration and energy systems' robustness . In 2014, Goebel et al. provided an overview of goals, themes, and use cases of Energy Informatics research that distinguishes relevant topics between "smart energy-saving systems" and "smart grids" (Goebel et al. 2014). More recently, several papers from the Energy Informatics community have emphasized the urgent relevance of decreasing CO 2 emissions by appropriate IS (Fiorini and Aiello 2018;de Lima et al. 2021;Zampou et al. 2022).
Against this background, Energy Informatics scholars are encouraged to elaborate on comprehensive and scalable digital solutions that are capable of providing CO 2 data in adequate granularity in order to enable a purposeful CO 2 -adaptive decision making. Related work has already argued that there is a need for higher temporal as well as spatial granularity of CO 2 in energy management and in energy markets Pina et al. 2012). To enable CO 2 -adaptive actions, corresponding CO 2 emissions must be easy to disclose along products' life cycles and supply chains to allow for the differentiation of low-carbon businesses and products , World Economic Forum 2021. This can even help businesses become more competitive, as consumers are increasingly willing to pay for sustainable products, reinforcing the transition towards sustainable production (Herbes and Ramme 2014;Goebel et al. 2018). The adoption of Personal Carbon Allowances (PCAs) may further accelerate this trend by turning CO 2 -adaptive decision making into a necessity for businesses and end-consumers alike (Fuso Nerini et al. 2021). However, measuring environmental performance adequately is challenging due to limited data availability Björklund et al. 2012), complex supply chain networks-ranging from player diversity to inadequacy of current supply chain metrics-and corresponding enterprise systems (Hervani et al. 2005;Ahi and Searcy 2015;Lehtinen and Ahola 2010).
Moreover, specifically the fine-granular recording of CO 2 emissions across different suppliers within or even across sectors is not only challenging to implement and govern but also raises substantial data confidentiality concerns (Hassini et al. 2012). Furthermore, when a corresponding centralized platform needs to be provided by a business or international organization, there will likely be issues regarding trust and economic or political power. On the other hand, solutions incorporated in organizations' Enterprise Resource Planning (ERP) systems lack interoperability and end-to-end verifiability owing to their fragmentation. Therefore, businesses and end-customers require specialized IS to capture and to analyze sustainability-related data along their supply chains (Maestrini et al. 2017;Qorri et al. 2018). Today, these IS should reveal information only selectively instead of providing complete transparency for all parties involved owing to the sensitivity of the respective fine-granular CO 2 emission data. Nonetheless, they must provide end-to-end traceability, starting from the consumer and pointing back to the corresponding sources, to enable the provisioning and levering of verifiable and finegranular CO 2 emission data necessary to facilitate and incentivize CO 2 -adaptive decision making.
As electricity systems are responsible for a large share of the global CO 2 emissions (Rouholamini et al. 2020), and they are at the same time arguably one of the simplest examples of a connected supply chain of a relatively homogeneous good, we focus on emissions from the generation of electricity. On the electricity market-among other things due to the growth of renewable energy sources-there is now some degree of differentiation according to the level of CO 2 intensity, so provenance is not a trivial topic ). On the other hand, there are no repeated refinements or assemblies of goods that were themselves manufactured with some CO 2 footprint to a new product in a process that may is potentially carbon-intensive in itself. In addition, electricity data for industrial consumption and production is already generated in useful 15-min intervals within the synchronous grid of Central Europe (Märkle-Huß et al. 2018), and the provisioning of smart-meters aims to produce comparable data streams for small consumers in the foreseeable future, too (Zhou and Brown 2017). The tracking of CO 2 emissions along electricity supply chains is hence an appropriate and illustrative use-case that we will focus on in the following (cf. Application for the Case of Charging Electric Vehicles section). Against this background, our research contributes to Energy Informatics research and provides a novel concept on how to bring traceability regarding CO 2 emissions into electricity systems by appropriate IS solutions.

Applications of blockchain-based tokens in the energy sector
In our analysis of related work, we found general agreement that digital solutions are required for the recording, exchange, and accumulation of fine-granular CO 2 emission information that is essential for products with a complex production and usage life cycle (Al Sadawi et al. 2021). In this context, publications like (Pigeolet and Van Waeyenberge 2019; Jackson et al. 2018) emphasize the importance of establishing interoperability and trust in the correct documentation of CO 2 emissions not only across businesses but also across domains and legislations. As these two objectives can be difficult to achieve in siloed IS, researchers-also from the Energy Informatics community-have repeatedly proposed blockchain technology as a technical basis for CO 2 emission documentation or trading (Al Sadawi et al. 2021;Albrecht et al. 2018;Richard et al. 2019;Jackson et al. 2018). Blockchain undoubtedly brings several characteristics that seem appealing in this context, for instance, it offers a neutral platform that even mutually distrusting stakeholders can agree on Fridgen et al. (2018), and it facilitates the exchange of value by avoiding the double spending of digital assets. These assets can either be defined purely inside a blockchain or represent existing physical or digital objects. Several projects, like Toucan, RegenNetwork, Moss, or KlimaDAO, focus on the hitherto less transparent market for voluntary CO 2 offsetting. These markets offer the opportunity to invest in projects that aim to consume CO 2 . In order to provide the often missing transparency and to prevent the "double spending" of CO 2 offsets, they rely on a blockchain-based infrastructure. However, such projects do not consider the necessary identification of emissions that would enable a CO 2 -adaptive decision making as we discuss in this paper but rather their compensation.
Blockchain technology achieves decentralized platforms by replicated information processing and consensus on what is the correct state of the ledger (Butijn et al. 2020). It, thus, carries a high degree of transparency and can enforce implemented rules.
However, transparency in this context is a two-sided sword: Information on a businesses' CO 2 emissions can be problematic because it constitutes sensitive business data that may allow competitors to infer information that they should not get access to or even conflict with antitrust regulation Schellinger et al. 2022). In a downstream approach, CO 2 emission data could even become personally identifiable and, thus, conflict with data protection regulation and end users' privacy requirements. As blockchains only provide pseudonymization and their transparency typically enable linking transactions, their use is, thus, problematic, and additional privacy-enhancing technologies must be applied Munilla Garrido et al. 2021;Sedlmeir et al. 2022). There are also "traditional" types of ledgers which can be more or fully centralized and also can have different models for accessing data and publishing new data to the ledger. These can reduce privacy issues, since they only grant access to the data to a predefined group, but especially for sensitive data like energy usage this can still be problematic. A very popular approach to solve privacy issues in blockchain-based systems (and that could also be used in centralized systems) are so-called shielded transactions, for example, in Zcash or Monero, which hide both identities and exchanged values. However, unlike cryptocurrencies, where the total supply is either an invariant or follows strictly defined rules, CO 2 emission systems are not closed: CO 2 emissions data needs to be fed into the system permanently and reliably. In the context of blockchain, this is often referred to as the "oracle problem". Consequently, some degree of transparency with respect to amounts and identities that are responsible for the emission needs to be present, and emissions have to be distinguishable with respect to their source and history to reflect this property. Such "distinguishable" objects are commonly represented by NFTs on blockchains.
There are also NFTs that allow the ownership of parts of the asset represented by them. This is called fractional ownership (cf. Implementation section). Such a splitting of distinguishable objects between multiple entities has already been suggested, for instance, in the context of art markets and creative work (Barbereau et al. 2022;Whitaker and Kräussl 2020) and real estate (Sunyaev et al. 2021;Bechtel et al. 2022). We aim to apply fractional ownership to facilitate the splitting and aggregation of CO 2 emission information in the electricity system's supply chain.

Privacy-preserving (non-)fungible tokens in other research areas
It is precisely the design of a CO 2 emission tracing system that satisfies verifiability, distinguishability, fractional ownership, and privacy that we want to contribute to. Common NFTs, like implemented in the ERC-721 token standard on the Ethereum blockchain (Ethereum Foundation 2022), offer transparency and distinguishability as well as fractional ownership, but fail to provide privacy. On the other hand, privacyoriented payment solutions like ZCash offer privacy and transparency corresponding to the currency's set of rules, but do not offer distinguishability. A combination of privacy and non-fungibility is often referred to as shielded NFTs, as implemented for instance in EY's Nightfall (EYBlockchain 2020). This approach to shielded NFTs comes closest to what we aim for, but so far, to the best of our knowledge, there are no shielded NFTs that allow for fractional ownership. In this sense, our approach is not only the first to combine the necessary requirements, i.e., verifiability, distinguishability, fractional ownership, and privacy, for CO 2 tracing systems but also closes the technical gap of implementing shielded NFTs with fractional ownership.

Technical background
In order to discuss and compare different existing approaches with the one we present in the following, we provide a common understanding about relevant cryptographic basics. We start with hash functions, which are an essential component of most cryptographic systems (Schneier 2017). A hash function H is a deterministic function that maps an input x of arbitrary length to an output y of fixed, relatively short, length, aiming to fulfill two essential properties. First, hash functions should be one-way functions, meaning that it is very difficult-nearly impossible-to determine the input x given an output y = H (x) , we call this pre-image resistance. Second, they should be collision resistant, which means that it is very difficult to find two inputs x 1 and x 2 sharing the same output y, i.e., H (x 1 ) = H (x 2 ) cannot be solved efficiently when x 1 = x 2 .
Another essential building block of most blockchain systems are Merkle trees (Merkle 1988). They combine the hierarchical data structure of a tree with the utility of hash functions with the purpose of representing multiple data points efficiently under a single hash. A tree, in general, is a data structure consisting of multiple data points called nodes. Starting from the first node, called the root, every (parent) node has child nodes, which themselves have child nodes, and so on, until the lowest level of nodes is reached. We call these nodes without own child leaves. Each leaf of a Merkle tree represents a hash of one of the data points. Each parent node consists of the hash of the concatenation of all its child nodes. Thereby, each parent node represents its child nodes, and the Merkle root represents all data points (leaves) of the tree. When we speak about Merkle trees, we mean by default fully perfect binary trees, this type of tree consists of nodes having either two or no child nodes and leaves having the same number of (in)direct parent nodes. Besides the properties of hash functions such as pre-image and collision resistance, Merkle trees provide so-called Merkle proofs, which offer the possibility to prove that a data point is part of the tree, represented by the Merkle root, without having to include other data points directly in this proof. In order to do so, the prover just requires the "path" of the data point inside the tree, which are all nodes of the tree with which the leaf of the data point is directly or indirectly hashed. Thereby, pre-image resistance prevents from reconstructing any other data point and collision resistance from creating Merkle proofs for data points which are not part of the tree. The required storage for Merkle trees grows constantly with the number of data points it represents, but the size of a Merkle proof only grows logarithmically.
The third cryptographic building block we use are Zero-Knowledge Proofs (ZKPs). The fundamental concept of a ZKP is to generate a proof that a statement is true, without revealing more useful information than the statement itself (Goldwasser et al. 1989). Examples are proving that a computation for a known output was done correctly without redoing the whole computation process or verifiably showing that one has a certain piece of information that leads to a given hash without presenting it. Like most other cryptographic concepts, ZKPs are based on the hardness of cryptographic problems, meaning that it is "practically infeasable" to generate a valid proof from a false statement. One of the most popular zero-knowledge proving systems for relatively general computer programs are Succinct Non-interactive Arguments of Knowledge (SNARKs) (Ben- Sasson et al. 2013). They consist of two main steps: First, representing a computer program by a polynomial, which is possible for all finite programs, and second proving that the polynomial has specific roots, which could only be obtained if the program was executed correctly, without revealing the full polynomial. For the conversion, so called "circuits" are defined, which represent a computer program as a closed system. Each circuit has a fixed number of constraints that corresponds to the degree of the polynomial required for the proof and depends on the complexity of the underlying computer program. In practice, these circuits need to be optimized to have acceptable computational costs. Specifically, hash functions like SHA256 (Appel 2015) involve many constraints, which is why hash functions specialized for ZKPs, such as Poseidon (Grassi et al. 2021), often find application. The second step, proving the knowledge of a polynomial with specific roots, is based on basic polynomial properties, especially the factorization of polynomials and the fact that two non-identical polynomials of degree d cannot have more than d points of intersection. For SNARKs, this is combined with other cryptographic primitives such as partially homomorphic encryption and pairings of elliptic curves. On the other hand, there are also ZKPs that only require secure hash functions for their construction, called Scalable Transparent Arguments of Knowledge (STARKs) (Ben- Sasson et al. 2019).

Implementation of privacy-preserving NFTs in detail
After giving an overview of different approaches and preliminary work, we will use the following section to present our implementation of privacy-preserving, fractionalizable NFTs. We start by introducing related, existing implementations that fulfill some of the requirements of our system. Subsequently, we explain our implementation in detail. As discussed earlier, an implementation of a documentation and trading system for carbon emissions needs to satisfy at least the following requirements: Verifiability, distinguishability (non-fungibility), traceability, support of fractional ownership, and privacy, including GDPR-compliance. As, for example, the Bitcoin blockchain satisfies verifiability of transactions and NFT standards on Ethereum smart contracts moreover provide distinguishable and traceable digital assets, fractionality and privacy have not yet become a widely known practice. To the best of our knowledge, there are no current implementations for privacy-preserving (shielded) NFTs with fractional ownership, especially not in the application of emission tracing. As we build on and extend existing approaches, we want to present and discuss them briefly.
The implementation of NFTs facilitates non-fungibility in blockchain-based systems. The ERC-721 token standard is the first standardized implementation of NFTs on the Ethereum blockchain. The subsequent ERC-1155 standard combines fungible (ERC-20) and non-fungible (ERC-721) tokens and additionally enables splitting them for fractional ownership. On the other hand, these standards do not provides strong privacy guarantees because-while user addresses are pseudonymous-transactions are linkable (Biryukov et al. 2014;Pfitzmann and Hansen 2010). Zcash on the other hand, which was proposed by Sasson et al. (2014) and is one of the first blockchain-based solutions for anonymous "electronic cash", offers different privacy and transparency options, depending on the type of transaction, but does not provide distinguishability. It uses Merkle trees to store the different transactions and ZKPs to verify them without revealing information to the public. Yet, Zcash is limited to simple payments with fungible tokens. The cryptocurrency Tezos with its Sapling integration (Nomadic Labs 2021) adopts the concept (and partially even the implementation) of Zcash but applies it inside smart contracts. Thereby, it enables private transactions for other tokens than just the blockchain native token, but the privacy is still limited to fungible tokens. EYs nightfall implementation (EYBlockchain 2020), which is usable on Ethereum and other EVM-compatible blockchains, further develops Tezos' sapling implementation and adds the possibility to transact non-fungible tokens. With this, Nightfall provides private transactions for NFTs, making it the implementation that fulfills the most of our requirements, but still misses the fractionalizability of the shielded NFTs.
For our prototype, we took the Zcash approach introduced in Sasson et al. (2014) as a basis. This approach builds on top of the Unspent Transaction Outputs (UTXO) model, first introduced by Bitcoin, and combines it with ZKPs constructed with SNARKs to achieve full privacy in its native token transfers. A transfer involves consuming some of the sender's UTXOs and creating new UTXOs. The sender issues a new UTXOs, which comprises a public key and an amount, to the receiver address. Since UTXOs can only be spent in their entirety, in most cases the sender issues a second UTXO to its own address again. Its value results of the old coins minus the value of the new coins, i.e., this UTXO in some sense represents the change of the transaction. Everyone can verify that a UTXO has not been spent before and that the total input and output values match. As the sender can issue every new UTXO to a new public key (address), it seems privacyoriented at first. However, the direct linkage of spent and newly created UTXOs in fact allows to de-anonymize most transactions using more sophisticated tools (Biryukov et al. 2014). Consequently, to enhance privacy and to hide sensitive information on the public blockchain ledger, Zcash does not verify transactions based on a publicly linkable transaction history. Using hash functions and adding some randomness as entropy ("salt"), one can easily hide all transaction details, including transaction addresses, spent coins, received coins, and change, which are usually visible to all network participants. We call these salted hashes of the context of each UTXO commitment. A private ("shielded") Zcash transaction hence has to involve a proof of knowledge of all pre-images of a all involved commitments to ensure that the transaction actually corresponds to a commitment in history and that all new commitments are valid. This involves, for example, to prove the ownership of a commitment and to ensure constant supply, i.e., to prevent the creation of new tokens from thin air. To make sure that one cannot spend coins multiple times, the commitment needs to be "nullified", i.e., tagged as "spent". However, to ensure the unlinkability required for anonymous transactions, there must be no direct pointer to the UTXOs consumed and created in a transfer. Hence, a Merkle tree of initially fixed (large) size bundles all commitments, where each leaf represents one commitment. When conducting a new transaction that creates two new commitments, the blockchain nodes add the commitments to the Merkle tree and post the Merkle root of that new resulting tree on the blockchain. This makes it possible for the owner of a commitment to verify its existence by a proof of membership in the Merkle tree. This proof of membership validates a Merkle proof for a certain commitment through a ZKP and publishes only the corresponding Merkle root, which has to exist on the ledger at any point of time. Additionally, the sender creates a nullifier for the commitment, which will also be appended to the blockchain. Knowing the pre-image of all involved UTXOs' commitments, the sender's ZKP also proves-without revealing the commitment or the associated transfer amount and addresses involved-that: (1) the new commitments create no new coins, i.e., the total amount in the spent UTXOs equals the total amount in the newly created UTXOs, (2) the spending commitment exists (proof of membership), (3) the sender owns the spending commitments, i.e., knows the associated private key, (4) the sender correctly derives the nullifier from the pre-image of the spending commitment. To process a transfer, consisting of a ZKP, two commitments, a nullifer, and a Merkle root, the network checks the statements (1)-(4) and that the revealed nullifier has not been published before. If all this is true, the network adds the commitments to the tree (and updates the Merkle root accordingly) and appends the nullifer to the corresponding list.
To account for the intended distinguishability, i.e., non-fungibility of CO 2 certificates represented by shielded UTXOs, we adapt the approach of Zcash and add further information to the commitments' pre-images. Hereby, we essentially make them represent shielded (fractional) NFT transfers. The pre-image of each commitment in our approach contains the following attributes: • Hash: The hash of the object the NFT represents (e.g., emission certificate). • Quantity: The share of the object represented by this UTXO. • Public Key: The NFT owner's public key. • Consumed: Marks the NFT as consumed when the represented object no longer exists. • Salt: Ensures that each commitment is unique through adding entropy.
The CO 2 emissions tracing implementation we present here can be managed by blockchain technology, just like Zcash. However, as a large-scale and fine-granular carbon market would arguably have higher requirements on throughput in the future and as we do not focus on performance improvements in this paper, we assume instead that a central institution manages the associated ledger, which we call ledger authority. Due to the privacy-by-design of our approach, businesses and end-users must trust this institution only with regard to integrity and non-censorship, but not with their sensitive information.
Although we assume that a central instance can manage the ledger without restricting the privacy of the users, the initial creation of the NFTs ("minting") should rely on a central institution alone, since this again requires access to partially sensitive data and creates several challenges regarding scalability when aiming for a fine-granular tracing system. This is why the verification of CO 2 emission data and the subsequent minting of certificates should be carried out as decentralized as possible. We aim for a system in which each emission-relevant plant is capable of minting its NFTs on its own. For this purpose, we assume that trust-creating parties embed trustworthy sensors in each of these plants. Each sensor has a unique and non-transferable public-private key pair, on behalf of which it is capable of minting new NFTs. In this digital identity approach, the trust-creating parties report all trustworthy public keys to the ledger authority, which writes them on a safelist holding all public keys authorized for minting. To avoid that every minter has to authenticate with their public key every time they create a NFTs, the safelist is represented by another Merkle tree holding one public key in each leaf. Hereby a minter can utilize a proof of membership on the safelist tree to avoid showing its public key. To ensure private transaction creation, we require that both the commitment and safelist Merkle tree have public read access. However, if the respective use case desires a decentralized management of the ledger, our approach can operate without further concerns regarding the privacy of transactions, etc., within a blockchain infrastructure. Figure 1 features the ZKP's main statements for a minting transaction. In our nomenclature, INPUTS are private (the prover does not reveal them) yet some of the private inputs may be exchanged between sender (prover) and receiver [for instance, the receiver's Public Key (PK)], OUTPUTS are public (they need to be disclosed for verification of the ZKP). To mint a new NFT, the minter creates and sends a valid minting-ZKP, the Merkle root of the current safelist, and the new commitment to the ledger authority. Subsequently, the authority verifies the ZKP, checks if the safelist's root matches to the one stored on the ledger, and finally adds the commitment to the ledger. This transaction does not disclose the miner's identity or any details about the NFT.
As in Zcash, a nullifier must invalidate a commitment; therefore, there are two properties that it should fulfill. First, it must be bound to the pre-image of the commitment (without being linkable to the value of the commitment) and second, it should only be possible for the owner of the commitment to create it. Therefore, we chose an implementation where the pre-image of the nullifier includes the signature of the commitment itself using the Secret Key (SK) corresponding to the commitments PK: nullifier = Hash(Signature(SK, commitment)) . Previous to the proof generation, the receiver sends its PK to the sender. Due to the fact that the commitment Merkle tree has public access rights, senders can generate a proof of membership for their commitment by their own. Consequently, senders have all information for creating the ZKP, which Fig. 2 describes. Since the nullifier consists of a signature of the commitment and its preimage contains its owner's PK, only the holder of the matching SK (owner of the NFT) is capable of generating the nullifier and therefore spending the commitment. Thus, the sender submits the Merkle root, the nullifier, and the two new commitments along with the transfer-ZKP, which confirms the correct generation of all these hashes (commitments and nullifier) to the ledger authority. The authority validates the ZKP and checks whether the Merkle root existed at some point in history. If these conditions are met, the ledger authority adds the receiver and change commitment to the tree, updates the new Merkle root, and appends the nullifier to the list. At this point, the ledger authority  settled the transaction by storing it on the ledger, but transaction recipients cannot realize or even utilize this yet. Consequently, the sender has to send the transaction receiver the pre-image of the newly added receiver commitment. Finally, the recipient can verify the pre-image of the transaction by comparing its hash to the commitments on the ledger. As the sender issued the receiver commitment to the receiver's PK the receiver is now capable of proving the ownership or spending the NFT on behalf of its SK.

Application for the case of charging electric vehicles
As mentioned above, we exemplary apply our approach for the use case of charging electric vehicles, where we aim to provide verifiable data to the end-consumer, for example, the owner of an electric vehicle. This data entails information about the CO 2 emissions that are associated with the amount of electricity that has been charged. Of course, this information is aggregated and disaggregated along the accounting or contractual path of the electricity-and not along the physical path, which is not possible to trace. Figure 3 illustrates the application of shielded fractionalized NFTs for a proof-of-origin of green electricity. To simplify this illustration, we present a self-contained scenario with few stakeholders involved. Any further transfers between additional participants would be integrated in the same way. In our scenario, we consider a windmill that generates electricity. The windmill is owned by an electric utility. This electric utility directly sells electricity to an electric vehicle, which charges its battery at one of the electric utility's charging point. We assume that the windmill generates at least that much electricity the electric vehicles consumes. The electric utility advertises to issue certificates of origin for each delivery, with a temporal granularity of 15 min.
In order to address the oracle problem and ensure the correctness of external data that is fed into the system, we further assume that during the construction of the plant, a trustworthy third party ("certifying party") installed a tamper-proof sensor unit and adds the sensor's public key to the safelist tree on the ledger. The sensor unit signs all measurements of electricity generation and a factor of proportionality for the associated carbon equivalent emissions using asymmetric encryption. In a more complex real-world Transfer INPUT: Pre-image of sender commitment, amount, PK of the receiver, salts for the change and receiver commitment, nullifier of the sender commitment, Merkle proof for the sender commitment OUTPUT: Merkle root, nullifier of the sender commitment, receiver commitment, change commitment CHECKING THAT: • The Merkle proof of the sender commitment is valid • The accounting is correct; amount > 0; sender = receiver + change • The pre-image of the nullifier is correct, was not published already and corresponds to the commitment • The pre-image of the receiver commitment is correct • The pre-image of the change commitment is correct Fig. 2 Zero-Knowledge Proof-Transfer setting, one would arguably use certificate chains and only add the public keys of some root certificates to the registry. Further, the certifying party issues a digital certificate about the plant's master data in the computing environment of the sensor. Restricting the minting of NFTs only to the sensor's secure environment reduces the risk of fake certificates. Further, if a participant detects an anomaly for an NFT, the information attached to it, i.e., the corresponding asset's master data, enables tracing to the source of it.
We assume that the plant produces 100 kWh in each 15 min interval, with almost zero associated CO 2 emissions, as the windmill is a renewable energy source. Consequently, in each interval, the windmill mints a new proof-of-origin NFT for the amount of electric energy produced. The certificate of origin associated with the NFT-which represents the pre-image of the corresponding commitment-is structured as described above and consists of the following attributes: • Hash (Certificate): The hash value of the proof-of-origin certificate represented by the NFT. It holds the time interval in which the plant produced the electricity and all relevant master data of the plant. The certificate may look like:  After collecting all this data, the plant requests the current safelist tree from the ledger. Based on this information, the plant creates the Minting-ZKP, which includes a proof that the PK in the certificate is contained in the safelist tree, and sends it to the ledger authority. The ledger authority validates the ZKP and adds the newly minted commitment to the global commitment tree. As soon as the ledger authority has added the new commitment and notified the windmill in an acknowledgement of successful minting, the windmill transfers the newly minted NFT entirely to the electricity utility. This first transfer process takes place analogous to the next transfer, which we describe in detail. The electric vehicle charged exactly 10 kWh during the first 15 min interval. The forgery-proof, certified sensors in the vehicle and the charging point trustfully record this consumption. According to this record, the electricity utility forwards a fraction of the NFT-10% of it-to the electric vehicle. To do so, the electricity utility first requests the current commitment tree from the ledger and the vehicle's PK, which represents the receiver address. With this information, the electricity utility can extract a Merkle proof of its possession of the full (share of 100%) of the NFTs. It then consumes this share and creates two new fractionalized NFT from it, which add up to 100%. The electric vehicle's NFT includes the following information: • Hash (Certificate): Exactly the same hash representing the same proof-of-origin certificate as minted previously by the windmill • Quantity (kWh): 10 • Public Key: 0 × 2345 (PK of the electric vehicle) • Salt: 9132 The other NFT contains the "change", i.e., the rest of the fractionalized NFT which stays at the utility: • Hash (Certificate): Exactly the same hash representing the same proof-of-origin certificate as minted previously by the windmill • Quantity (kWh): 90 • Public Key: 0 × 1234 (PK of the electric utility) • Salt: 1252 For this transfer, the electric utility creates a Transfer-ZKP and sends it to the ledger authority. After checking the Transfer-ZKP and whether the nullifier has been published before, the ledger authority updates the ledger and sends a confirmation receipt for the transfer to the electricity utility. Subsequently, the electricity utility informs the electric vehicle about the transfer by sending the pre-image containing inter alia the proof-oforigin certificate of the new NFT. The electric vehicle checks if the NFT is now indeed in its possession by checking the correctness of the pre-image, for instance, the PK. In addition it checks using the current commitment tree if the new NFT is also settled on the ledger. This process will be repeated for all time intervals in which the vehicle is charging. For example, if the vehicle charges for one hour, it will receive four of these proof of origin certificates represented by fractionalized NFTs in the end and can clearly trace to which plant the consumed electricity is attributable. They can also compute the CO 2 emissions associated with their proof of origin by multiplying the original certificate's factor of proportionality for carbon emissions (kg CO2eq) with the amount of electricity represented by the NFT that they own, i.e, its "quantity". Thus, our approach enables end-consumers to trace and cryptographically verify emission data by using anonymized data on the ledger.

Contribution and discussion
This section briefly highlights the contributions to research and practice resulting from our work. In addition, it discusses corresponding implications of our research.
Overall, our paper outlines a new concept for CO 2 emission tracing in the course of the energy transition that enables an end-to-end connection, i.e., data exchange, between energy supplying and energy demanding assets by shielded NFTs with fractional ownership. Our approach boils down to the bilateral, digital exchange of distinguishable and divisible carbon certificates with a blockchain-based, fully anonymous double spending prevention. Moreover, this paper also demonstrates our concept's applicability by a prototypical implementation.
Our concept provides end consumers with real-time information about the consumed CO 2 emissions associated with the amount of electricity bought. Here, the "amount of electricity bought" refers to the business-sided, i.e, contractual, transactions of electricity while the physical delivery of electricity, i.e., electrons, is not traceable in modern electricity systems, of course. Against this background, our concept enables an end-to-end verifiable traceability of fine-granluar CO 2 emissions in energy systems in (close to) real-time. Since such a concept for fine-granular tracing of emission data produces sensitive data, it is mandatory to consider the protection of this data at an early stage. Most approaches are based on the concept of privacyby-trust, which relies on the assumption that certain parties handle sensitive data in a trustworthy manner. We based the approach presented in this paper strictly to the idea of privacy-by-design, according to which no sensitive data become accessible to third parties. Hence, our research is the necessary foundation for a CO 2 adaptive decision making, for example, in energy-intensive industries. Moreover, it may be the foundation for future carbon trading markets.
Regarding our concept's applicability, which is highly needed in the course of energy informatics (cf., among others, Staudt et al. 2019), we find that already with a prototypical implementation on commodity hardware and a centralized ledger, our approach has practical performance, specifically on the end user side. Using the Poseidon hash function, our circuit has around 10, 000 Rank 1 Constraint System (R1CS) constraints. We tested performance on an Ubuntu 20.04 virtual machine with 4 virtual cores and 16 GB or RAM allocated, running on a commercial standard laptop (Dell Latitude 7400 with an Intel i7 8665U CPU). We averaged our time measurements over 100 iterations for each operation. Proof creation-the most computationally intensive operation in the Groth16 SNARK system (Groth 2016)takes around 4.0 s when using the default setting that used Web assembly for witness generation and JavaScript for proof generation. The (static) proving key that needs to be stored for creating proofs has a size of around 6.3 MB, the (static) verification key needed for verification of around 3.5 kB. The size of the proof itself is less than 1 kB. These figures suggest that proof creation could be practical on a mobile phone, too. With a more optimized tool for proof generation, performance can even be improved considerably: With witness generation in C++ and the "Rapidsnark" software (Hermez Network 2021) that uses ×86 Assembly, the time for proof generation is only 0.23 s. So far, there is no optimized software for proof verification, which correspondingly takes around 1.0 s in JavaScript. Other libraries claim to have verification times of less than 10 ms for similar Groth16 SNARKs (Amine et al. 2020). In summary, we conclude that our approach is implementable in practice.
This paper contributes to the body of knowledge of both, of the computer science and applied cryptography community by demonstrating an implementation for shielded NFTs with fractional ownership, and of the energy informatics community by developing a new concept for applicable and target-oriented CO 2 emission tracing. Moreover, our research holds various contributions for practice as it may impact both, businesses and policy. Regarding the latter, policy may challenge existing approaches, e.g., the EU-ETS, that aim at decreasing CO 2 tracking emissions while not being able to provide high temporal and quantitative granularity of CO 2 emissions. Against this background, policy-makers must reconsider the targets they would aim for and they must evaluate how to develop existing approaches further. Regarding businesses, our concept enables various potential benefits that range from the possibility to provide product-specific CO 2 emission information to end consumers, e.g., in the case of e-mobility charging, to the enabling of CO 2 -adaptive decision making or process management, e.g., in the case of industrial manufacturing. Thinking further, our concept may also be the technical cornerstone for any information to be reported in complex and international supply networks, for example, in the context of future regulation on keeping conditions of the sustainable development goals.

Conclusion
In this paper, we outline a technically and substantively new approach for CO 2 emission tracing in energy systems by using shielded NFTs with fractional ownership to enable an end-to-end verifiability of emission data. Our approach integrates both businesses and end consumers on a transparent, decentralized architecture while addressing privacyrelevant requirements. Against the background that primary and verifiable CO 2 data is not available to end consumers, so far, and for enterprises merely in scope of a one year period, we consider our approach an enabler of a CO 2 -adaptive decision making for end consumers and businesses that is one of the keys for promoting the energy transition ). Our concept builds on established cryptographic primitives like hash functions, Merkle trees, and digital signatures, in combination with blockchainbased NFTs and ZKPs. Building on previous privacy-oriented constructions of blockchain-based tokens such as Sasson et al. (2014) or Nightfall (EYBlockchain 2020), we implement fractional ownership for shielded NFTs, which are linked to digital certificates stored and exchanged off-chain that include detailed information on carbon emissions and, thus, prevent double usage of CO 2 certificates through a transparent public ledger without disclosing additional information (privacy-by-design). Our approach hence allows us to leverage the benefits of a decentralized architecture in terms of openness and transparency as pointed out by related work, yet keeps information on stakeholders' CO 2 emission data completely confidential without compromising traceability. We illustrate the applicability of our concept by a prototypical implementation and discuss corresponding contributions and implications, e.g., its benefits for information availability, traceability, and verifiability and the associated opportunities on deep decarbonization. Our approach may also be promising in more general settings, for instance, for the exchange and verification of dynamic data and specifically quantitative proofs of origin in complex supply networks-a challenge that several publications have pointed to Platt et al. 2021).
Nevertheless, our research is subject to several limitations. First of all, we have not benchmarked the system in long-term and large scale use cases yet. Moreover, the concept that we develop in this paper as well as its applicability is only described in the narrow context of tracing CO 2 emissions when charging an electric vehicle. That means it does not yet include functionalities for CO 2 trading or a corresponding market, as our approach currently focuses on establishing a positive registry that cannot enforce stakeholders to pay for holding CO 2 certificates (fractions of shielded NFTs). We aim to connect this registry with existing frameworks which, for instance, incorporate such a billing process at the end of a specific epoch. This could be achieved, for instance, through governance processes that require an exchange of CO 2 certificates in every business interaction, or through cryptographic approaches like anonymized, account-based systems linked to stakeholders' digital identities, as described in Gross et al. (2021).
We believe that our approach could be a promising and inspiring starting point for further research. Scholars may evaluate how to develop our approach so that it can establish a CO 2 trading market. Moreover, future research may consider the role of CO 2 budgets for citizens, i.e., end consumers, against this background. From a practical perspective, we close the gap between existing concepts for CO 2 tracing and their confidentiality and traceability requirements and present an open approach that may help avoid fragmented systems with boundaries. Regarding a comprehensive implementation of such a system, policy-oriented scholars may elaborate on how to bring this system to practice. Furthermore, real world implementations have to further address the oracle problem to ensure the integrity of external data that decentralized sources feed into the system. Research regarding this problem can be both on a high, application overarching level, as well as focused on solving the oracle problem for specific applications of the system. Although researcher and practitioners already discuss this problem and develop general solutions, an application specific transfer of this research stream is still needed. From a technical perspective, our approach's performance in a large-scale system could be considered in more detail and the suitability of improvements, for instance, incremental optimizations of performance through optimizing cryptographic primitives involved in the ZKP circuits, general scalability solutions for blockchains such as sharding and rollups, or other compression techniques for ZKPs like Gailly et al. (2021) or recursion, which is not yet available with the implementation of the Groth16 proof system that we used but with alternative systems like Plonky2 (Farmer 2022). In sum, the research question how to design an interoperable, scalable IS for tracing CO 2 emissions remains a highly relevant and exciting interdisciplinary endeavour that requires research on the intersection between economic (energy markets) and technical (applied cryptography, high-performance systems) scholars.